Sunday, March 4, 2018

An Ode to Critics (IOTA and DCI)

Recently I heard there is the possibility that one or more actors associated with the IOTA project suggested the possibility of some form of legal action against members of the DCI responsible for an unfavorable analysis of IOTA's core technology. Rather than rehash the entire affair here, I'd recommend these sources as a reference points (DCI Audit Report)(Blog Post)(IOTA Response) to bring everyone up to speed.

What is provoking me to draft a blog post on this topic is that I offered to pay legal fees DCI actors would encumber as a result of their audit of IOTA in the event an agent of the IOTA Foundation or its associates decide to sue a member of the DCI. This offer was immediate and without preconditions. It also isn't connected to an opinion of the soundness- or potential lack thereof- of IOTA's technology.

To be frank, I could care less whether IOTA works, accomplishes its commercial goals or how it manages its ecosystem and community. What concerns me far more as a developer of cryptocurrencies is the relationship between security and cryptographic researchers and protocols we develop for our space.

The reality is that we have a symbiotic relationship. Researchers enjoy spending countless hours attempting to find flaws (theoretical and practical) in the philosophy, design and implementation of our work. These hours are seldom glorified or even compensated. They are generally ignored by the mainstream public outside of an occasional sensational headline by a low information journalist. But they are absolutely necessary to evolve our work.

For the researchers, they gain academic credit, the occasional job and the intellectual joy of resolving a problem. These perks aren't exclusive to a particular protocol or even the cryptocurrency space. Inflicting havoc on Ed25519 yields just as many brownie points as finding an issue in Ethereum's network protocol.

Having paid private firms literally hundreds of thousands of dollars in consulting fees to audit code IOHK writes, I fully appreciate the value of this foundational work. In fact, often one simply cannot hire the top minds as they are only interested in university affairs. Thus their time and effort is not only valuable, it can even be simply irreplaceable.

If a member of our space begins to attack researchers he feels have been unfair in their assessment or criticism, then this event cascades far beyond the immediate actors involved. It fundamentally damages the vital symbiotic environment between researchers and protocol developers. In other words, it directly hurts Cardano, Ethereum, Zcash and every other project.

Most graduate students, postdocs and professors do not have extensive resources to defend themselves against well capitalized cryptocurrency projects that don't actually have to win a case in order to massively disrupt the lives of these researchers. Going to court is expensive, emotionally exhausting and takes a huge amount of time. If a security researcher feels his work could provoke this event - even if it's objectively true, then they will simply choose a different topic.

I also can fully appreciate the discomfort of criticism that members of the IOTA community and the developers themselves are enduring. I have first hand experience with the blatant unfairness of constant attacks over social media, blog posts, at events and through other channels where lies, half truths and baseless innuendo replace an effective dialogue. It's always painful and often crosses the threshold to malicious slander.

But it's extremely important to understand that not all criticism is unfair and even within the set that is unfair, the actors levying it ought to be considered. The academic world is tightly regulated via credentials, unspoken rules and a strong emphasis on reputation. Attacking someone unfairly isn't a pattern that can be repeated without severe career consequences.

Thus the most common response to attacks coming from the academia is to prepare a fact based rebuttal. It doesn't necessarily mean the attack will be deflected or withdrawn, but it forces the critic to acknowledge your rebuttal and provide additional context and clarity.

This process is on display for the entire academic community to form opinions. If a researcher is dishonest, has conflicts of interest or is omitting/missing key points, then it will eventually be discovered. If it's a common pattern, the researcher will be socially exiled from academia.

A prominent example in the cryptographic world comes from Dr. Neal Koblitz. He levied an aggressive series of attacks on the concept of provable security. Neal's credentials are impeccable having created elliptic curve cryptography and being a Harvard educated Putnam fellow. Despite his enormous contributions to the field of cryptography, he wasn't given a pass on what many feel is unfair criticism. And it has had career consequences.

Escalation to courts is generally only done in cases of known fraud and institutional cover-up. For example, the falsification of collected data to skew results to some desired outcome. The consequences are always brutal once discovered. As particular examples, one can review the Schön scandal and also Paolo Macchiarini affair.

Nothing in this audit seems to deserve an escalation of this nature. A researcher made a claim and provided an argument with a set of evidence. The developer says this claim is false. It's an argument and it has an objective answer for the world to see.

Thus, I have no choice but to apply some of my personal resources as a counterbalance to protect the integrity of the system I have so benefited from throughout my academic and professional career. I would recommend that the IOTA community exercise the stoicism of the person who created the heart of their protocol as he continued to teach while students rudely interrupted his class.

I'd also like to remind them that MIT and the broader academic community isn't going away. Direct attacks- even if victorious- will have Pyrrhic consequences.

I hope the matter is closed and everyone can move on to better things.

36 comments:

It's a difficult one. People should be free to investigate, but others should be free from the spread of malicious falsehoods.

The spreader of falsehoods may eventually be found out, but what value does that have to the injured party if irreversible has already been done? And how is it a disincentive if the malicious party stands to gain from a competing product and can later merely say "I made a mistake".

Charles it is hard for researchers to resist the temptation to use their knowledge to purse a quick FUD in order to profit from the cryptocurrency markets. IOTA has shone a light on these perverse incentives, and you would be much better using your money to stamp out these practices rather than supporting a tit for tat legal battle.

So if someone accuses you of a crime, without proving you did that crime, you don't have the right to defend yourself for this accusation ? " That's why there is a responsibility on both sides. "There was an intentional motivation to cause damage to IOTA by the simple fact that the "researcher" did not prove how the "finding" could cause any vulnerability or damage to the network or IOTA token.(tokens were never in danger).

A real researcher would never act this way by turning public a "vulnerability" that was never proven. That's all what IOTA co-founder wants from them, to show him, were is the "vulnerability" (no reply from the "researcher" to date).

This was intentional by the researcher and as a result he needs to pay and be responsible for his acts, this should be an example for other researchers to think very well before making a PUBLIC ACCUSATION without proves.

The iota foundation have released a public statement saying that if dci either prove there was a flaw or that they apologize for jumping the gun they will retract any legal action. I see it more of a move just to finally get a public apology and put some of this FUD to bed finally.

You wrote: "A researcher made a claim and provided an argument with a set of evidence. The developer says this claim is false." which I would agree completely to but I don´t think thats exactly what happened here. Yes the developer said the claim was false but the developer also asked for more information to do more research on his own which the researcher did not reply to. I am not talking about the claims being true/false or fraud (I don´t have good the technical understanding) but don´t you think the researcher should have supplied those information to keep a good relationship between researchers and developers (as stated in your paragraph #3)? What else should a developer do to get more information to potentially fix his code to prevent vulnerabilities when researchers dont reply?

Oh, my! I must've missed the presentation of proof from DCI as is the norm in this space. Please, let's not become civil in an effort to hide conflict of interest from DCI. The indefensible are often very expensive to defend. Happy check writing!

Charles you missed the mark here. DCI intentionally attempted to hurt and discredit the IOTA foundation in an attempt to gain an unfair advantage in a tender bid where both technologies were competing against each other. This was a criminal act by DCI, period.

Can I ask whether Ethan/DCI's IOTA attacks were peer reviewed and challenged by your academic peers, before they were 'published'? The lack of a formal peer review is the real issue here, and you are taking a dangerous double standard to expect IOTA to peer review their work when clearly Ethan/DCI have not done any of it.

I personally don't think that to stimulate cheating/misleading is something of which you could be proud... exactly the opposite... you should discourage it...doesn't matter what title you have..as we all know in the crypto sphere the trust is not at a high levels as we all see the scamming/cheating/misleading is happening on daily basis ...

I don't think its the criticism itself, rather the lack of proof, response and the rash publishing of ungrounded facts that has tickled peoples pride.Its really important to lay the ulterior motives out in the light of day.

you offer your help (money) prematurely and daringly. You seem civilized now and you intend to politicize. But anyone, even if it is not a developer, finds out by reading the emails that something smells very bad in the way the researchers handled the matter.

you offer your help (money) prematurely and daringly. You seem civilized now and you intend to politicize. But anyone, even if it is not a developer, finds out by reading the emails that something smells very bad in the way the researchers handled the matter.

Charles, I had high regards for you until this post. I understand and support the basic point you are making of protecting researchers. It is, however, very disappointing that you can claim that the Researcher provided evidence. Really? Have they? Really, Charles?

Have those emails provided you with irrefutable evidence that IOTA was vulnerable?

What about the researcher unwillingness to jump and discuss the matter of Slack? How do you find that? Can you really say that they were well-intentioned?

This post leaves the bad taste that you are trying to protect your relationship with researchers because Cardano makes the big claim that it is: "the first peer-blockchain powered by scientists". It seems, given your association with scientists, you are blindly taking side with the hope to continue benefiting their moral backing. This would be unfortunate if this would be the case.

What I really hope is for DCI to write a solid paper and publish it in TOP software engineering, distributed systems, or security conferences or journals. Maybe we then get real scientific evidences of their claims.

Sergey Ivancheglo (CfB) did NOT say he was planning to sue the DCI Ethan Heilman. This is a personal issue between the two and has nothing to do with the Iota Foundation. CfB wants to get a lawyer involved to clear the communication, not for suing purposes. CfB also wrote you a letter in this blog: https://medium.com/@comefrombeyond/open-letter-to-charles-hoskinson-97c9d5a682d8

I read the emails. I don't know how any academic or rational person can come to any other conclusion than DCI intended to do harm to IOTA. They delivered no proof, published early then went silent. Absolutely agree with you that we don't want attacks on researchers. However, this seems very much a case of academic fraud rather than an unjust attack on researchers by a major crypto. Charles, please take a moment of your time to read those emails and follow-up on this.

ethereumpro.net best website to exchange your ethereum to paypal and other currencies.there are many websites are working but this is the best website.highly trusted site and have thousands of satisfied customers